This is how to demonstrate client-side/social engineering attack to internal systems.
It only takes that 1 critical click – and you will own the box, and perhaps the systems around the network, bypassing sophisticated Anti-Virus softwares and expensive [next-gen] firewalls.
This attack methodology works even on the latest and most hardened workstation, even if the security defences is running (UAC.DEP, ASLR, EMET, etc)
AV default options is also enabled (ie. firewall, application control, proactive defence, etc)
On Windows 7, 8 and 10, they are not vulnerable to an old (XP era) existing remote exploits like MS08-067 for XP and MS09-050 for Vista.
Note that most (internet) users have either firefox, chrome and internet explorer – but not all of them usually have the three installed.
With the advent of internet entertainment, most users also have flash player from Adobe and java from Oracle for watching clips/movies from YouTube.
Some of them also enjoys web-based games and applications that requires java and flash player.
Let’s assume that all of them have anti-virus installed.
Scenario: Conduct a Penetration Testing using client-side/social engineering attack. NO Web Penetration Testing. No Network/Wireless Penetration Testing.
Just client side.
Do not forget to furnish all the necessary legal paperworks before commensing)
1. Get at least the company website address
2. Google search
3. Use tool called harvester, (http://www.edge-security.com/theHarvester.php) to harvest all emails and other necessary informations.
Harvester is built-in in BackTrack 5, and KAli (Kali LInux > Information Gathering > OSINT Analysis > theharvester)
4. Use the harvested addresses to target and attack emails found.
Note that public exploits againts the browsers, Flash and Adobe and other local programs will not get-through without being detected by their Anti-Virus, thus making the attack unsuccessful.
5. So the best chance we have is to use the ever reliable Dr Evil java applet trick. Almost 95% of the systems is using java or at least have java installed on their system.
6. Now that our plan is ready…. time to hunt ‘them’ down…
7. We can start with pipl.com, facebook, myspace, twitter, linkedin, and other social networking site. More often that not, at least few of the staff/employee is using their company email to subscribe to these sites.
Use the emails start profiling specific targets, and start Social Engineering attacks.
8. Add them, be friend with them and attempt a general information talk, built trust. If you are good, you can even ask a generic question like “what is the best anti-virus you recommended?”
9. Now time setup SET (Backtrack > Explotation Tools > Social Engineering Tools > Social Engineering Toolkit) or (in Kali Linux > Exploitation Tools > Social Engineering Toolkit > se-toolkit
10. Using Virtual machines, creat a lab that ‘simulates’ the real world scenario, hardened, fully patched, Firewall enabled, AV enabled, etc)
11. on SET, time to attack a target (option 1)
12. Create an evil java applet, Website Attack vector (option 2)
13. Then Java Applet Attack Method (option 1)
14. Then Web templates (option 1)
15. you can use Facebook (option 4)
16. Now is this is where testing should be done. Very important to use a paypload that is not detected by any security products (like IDS, IPS, and AV)
17. In this example, through social engineering, let’s assume that the victim is using Kaspersky Internet Security. You need to do a trial and error.
In my prevoius testing , looks like payload 11 is not detected by kASPersky AV.
(option 11 – SE Toolkit INteractive Shell Custom interactive reverse toolkit designed for SET… – works like a charm!
18. Then it is good to use port 443 to bind the local port, payload will use that to connect back to us.
note that you need to Susbcribe to a free ddns service and you also need to open port 443, 80 on your browser to the SET (Backtrack or Kali)’s IP address.
19. Then use bit.ly to shorten the url and obfuscate/hide your real wan ip.
Now we are ready!
20. Get back to that social engineering ninjitsu and make the target victim click on the link.
21. If all is well, viola!
21. Press “1” to start interacting with the opened session and type help to see the supported commands.
22. I love pure windows command shell. Just type “shell”
23. To see running application and services, type “tasklist”
24. At this point the machine is pwned!
25. If the user is not running as admin account, you can start escalating priviledges, pivoting to other machines, harvesting hash passwords, opening ftp sessions,, the possibility is endless!